Certificate-based authentication (e.g., via the Transport Layer Security (TLS) protocol) utilizes public key certificates to establish trust and to secure communications between parties. Generally, a public key certificate binds a public key to a named entity, where the named entity is assumed to possess a private key corresponding to the public key. A signature or assertion which is decryptable using the public key (i.e., generated using the private key) can therefore be assumed to have been generated by the named entity.
In conventional cloud-based computing, a client device requests functionality from applications, or services, executing in a public or private cloud. According to a microservices architecture, an application is implemented using a collection of fine-grained loosely-coupled services communicating via lightweight protocols. These services typically delegate responsibility for client authentication and authorization to an OAuth server. For example, an OAuth server determines authorizations to a service based on authenticated user identity and issues an authorization token specifying the authorizations. The authorization token may be provided to the service, which grants access to corresponding resources based on the specified authorizations.
It may be desirable for a client system which does not support OAuth protocols to call a cloud service using certificate-based authentication (e.g., where the client system is an Enterprise Resource Planning on-premise system). However, even if the cloud service endpoint is capable of terminating a certificate-based (e.g., TLS) connection, the client certificate will not be usable by the service or by the OAuth server for authentication or authorization. Systems are desired to facilitate access by certificate-based clients to services which use token-based authentication/authorization.